European Parliament 2014-2019 Committee on Civil Liberties, Justice and Home Affairs 2016/3018(RSP) 30.1.2017 AMDMTS 1-71 Claude Moraes (PE595.560v01-00) Adequacy of the protection afforded by the EU-U.S. Privacy Shield (2016/3018(RSP)) AM\1115172.docx PE597.621v01-00 United in diversity
AM_Com_NonLegRE PE597.621v01-00 2/37 AM\1115172.docx
1 Jan Philipp Albrecht Citation 6 a (new) having regard to the Commission communication to the European Parliament and the Council of 10 January 2017 on Exchanging and Protecting Personal Data in a Globalised World 1a ; 1a COM(2017)07, 10.01.2017 2 Jan Philipp Albrecht Citation 6 b (new) having regard to the judgment of the European Court of Justice of 21 December 2016 in Cases C-203/15 Tele2 Sverige AB v Post- och telestyrelsen and C-698/15 Secretary of State for the Home Department v Tom Watson and Others 1a ; 1a EU:C:2016:970 3 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni AM\1115172.docx 3/37 PE597.621v01-00
Recital D D. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; D. whereas in its Opinion 4/2016 the EDPS raised several concerns on the draft Privacy Shield; while the EDPS welcomes in the same opinion the efforts made by all parties to find a solution for transfers of personal data from the EU to the US for commercial purposes under a system of self-certification; 4 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Recital E E. whereas in its Opinion 01/2016 the Article 29 Working Party on the draft EU- U.S. Privacy Shield adequacy implementing Commission Decision welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision whilst also raising strong concerns about both the commercial aspects and access by public authorities to data transferred under the Privacy Shield; E. whereas in its Opinion 01/2016 the Article 29 Working Party on the draft EU- U.S. Privacy Shield adequacy implementing Commission Decision welcomed the significant improvements brought about by the Privacy Shield compared with the Safe Harbour decision and in particular, the insertion of key definitions, the mechanisms set up to ensure the oversight of the Privacy Shield list and the now mandatory external and internal reviews of compliance, and whereas the Working Party has also asked clarifications on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield; 5 PE597.621v01-00 4/37 AM\1115172.docx
Josef Weidenholzer Paragraph 1 a (new) 1a. Is aware that the EU-US Privacy Shield rests solely on PPD-28, which was issued by the President and can also be repealed by any future President without Congress s consent; Or. de 6 Axel Voss, Monika Hohlmeier, Jeroen Lenaers Paragraph 2 2. Acknowledges that the EU-U.S. Privacy Shield contains significant improvements compared to the former EU-U.S. Safe Harbour and that U.S. organisations self- certifying adherence to the EU-U.S. Privacy Shield will have to comply with higher data protection standards than under Safe Harbour; 2. Acknowledges that the EU-U.S. Privacy Shield differs substantially from the Safe Harbour Framework, providing for a significantly more detailed documentation that imposes more specific obligations on companies willing to join the framework and that includes new checks and balances ensuring that the rights of EU data subjects can be exercised when their data are being processed in the US; 7 Jan Philipp Albrecht Paragraph 2 AM\1115172.docx 5/37 PE597.621v01-00
2. Acknowledges that the EU-U.S. Privacy Shield contains significant improvements compared to the former EU- U.S. Safe Harbour and that U.S. organisations self- certifying adherence to the EU-U.S. Privacy Shield will have to comply with higher data protection standards than under Safe Harbour; 2. Acknowledges that the EU-U.S. Privacy Shield contains significant improvements regarding the clarity of standards compared to the former EU-U.S. Safe Harbour and that U.S. organisations self- certifying adherence to the EU-U.S. Privacy Shield will have to comply with clearer data protection standards than under Safe Harbour; 8 Josef Weidenholzer Paragraph 2 2. Acknowledges that the EU-U.S. Privacy Shield contains significant improvements compared to the former EU- U.S. Safe Harbour and that U.S. organisations self- certifying adherence to the EU-U.S. Privacy Shield will have to comply with higher data protection standards than under Safe Harbour; 2. Acknowledges that the EU-U.S. Privacy Shield contains improvements compared to the former EU-U.S. Safe Harbour and that U.S. organisations selfcertifying adherence to the EU-U.S. Privacy Shield will have to comply with higher data protection standards than under Safe Harbour; Or. de 9 Beatrix von Storch Paragraph 2 a (new) 2a. Acknowledges that a French privacy advocacy group, La Quadrature du Net, has challenged the Adequacy Decision in a legal action to the CJEU claiming that the U.S. Ombudsman PE597.621v01-00 6/37 AM\1115172.docx
redress mechanism is not sufficiently independent and effective and therefore the Adequacy Decision must be annulled; 10 Josef Weidenholzer Paragraph 3 3. Takes note that on 6 December 2016, 1170 U.S. organisations have joined the EU-U.S. Privacy Shield; 3. Takes note that on 6 December 2016, 1170 U.S. organisations have joined the EU-U.S. Privacy Shield; regrets that the Privacy Shield is based solely on voluntary self-certification and therefore applies only to US organisations which have voluntarily signed up to it, which means that many companies are not covered by the scheme; Or. de 11 Axel Voss, Monika Hohlmeier, Jeroen Lenaers Paragraph 3 3. Takes note that on 6 December 2016, 1170 U.S. organisations have joined the EU-U.S. Privacy Shield; 3. Takes note that on 6 December 2016, 1494 U.S. organisations have joined the EU-U.S. Privacy Shield; 12 Beatrix von Storch AM\1115172.docx 7/37 PE597.621v01-00
Paragraph 3 a (new) 3a. Acknowledges that there is a pending proceeding in the Irish High Court initiated by the Irish Data Protection Authority challenging the Adequacy Decision relating to the Standard Contractual Clauses (another mechanism to transfer personal data out of the EU) which may subsequently be referred to the CJEU; 13 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 4 4. Acknowledges that the EU-U.S. Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the U.S.; 4. Acknowledges that the EU-U.S. Privacy Shield facilitates data transfers from SMEs and businesses in the Union to the U.S.; welcomes that companies are not left anymore in a legal limbo and that the EU-US Privacy Decision is providing a legal base for the data transfer; also recalls that legal certainty, and in particular clear and uniform rules are a key element for business development and growth, in particular for SMEs companies; insist in this regard that SMEs accounted for 60% of the companies relying on the Safe Harbour Framework and that SMEs stand to gain the most from the new Privacy Shield and calls on the Commission in close cooperation with the DPAs to provide for greater clarity, precision and accessibility in the implementing and functioning of PE597.621v01-00 8/37 AM\1115172.docx
the Privacy Shield for those companies; 14 Beatrix von Storch Paragraph 4 a (new) 4a. Acknowledges that Digital Rights Ireland (DRI) brought an action against the Commissions Adequacy Decision to the CJEU in which DRI claims that the Adequacy Decision of the European Commission regarding the EU-U.S. Privacy Shield is null and void as it does not provide a level of data protection equivalent to the level of data protection established by European data protection law; 15 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 5 5. Notes that, in line with the ruling of the Court in the Schrems case, the powers of the European data protection authorities remain unaffected by the adequacy decision and hence they can exercise their powers, including the suspension or the ban of data transfers to an organisation registered in the EU-U.S. Privacy Shield; 5. Notes that, in line with the ruling of the Court in the Schrems case, the powers of the European data protection authorities remain unaffected by the adequacy decision and hence they can exercise their powers, including the suspension or the ban of data transfers to an organisation registered in the EU-U.S. Privacy Shield; welcomes in this regard the prominent role given by the Privacy Shield AM\1115172.docx 9/37 PE597.621v01-00
Framework to Member State DPAs to examine and investigate claims related to the protection of the rights to privacy and family life under the EU Charter of Fundamental Rights, to suspend transfers of data, as well as the obligation placed upon the US Department of Commerce to resolve such complaints; 16 Axel Voss, Jeroen Lenaers, Michał Boni, Monika Hohlmeier Paragraph 5 a (new) 5a. Notes with satisfaction that under the Privacy Shield Framework, EU data subjects dispose of several ways to pursue legal remedies in the US as first, complaints can be lodged either directly to the company or through the Department of Commerce following a referral by a Data Protection Authority (DPA) or to an independent dispute resolution body; secondly, with regard to interferences with fundamental rights for the purpose of national security, a civil claim can be brought before the US court. Similar complaints can also be addressed by the newly-created independent Ombudsperson; finally, complaints about interferences with fundamental rights for the purposes of law enforcement further and the public interest can be dealt with by motions challenging subpoenas; encourages further guidance from the European Commission and DPAs to make those legal remedies all more easily accessible and available; PE597.621v01-00 10/37 AM\1115172.docx
17 Beatrix von Storch Paragraph 5 a (new) 5a. Calls on the Commission to halt implementation of the decision in light of these several challenges and the seriousness of the allegations contained therein; 18 Josef Weidenholzer Paragraph 6 6. Acknowledges the clear commitment of the U.S. Department of Commerce to closely monitor the compliance by U.S. organisations of the EU-U.S. Privacy Shield principles and their intention to take enforcement actions against entities failing to comply; 6. Doubts whether the U.S. Department of Commerce is the right body to monitor compliance with data protection provisions, but acknowledges the clear commitment of the U.S. Department of Commerce to closely monitor the compliance by U.S. organisations of the EU-U.S. Privacy Shield principles and their intention to take enforcement actions against entities failing to comply; calls for a written report on possible enforcement actions in the event of failure to comply; Or. de 19 Beatrix von Storch AM\1115172.docx 11/37 PE597.621v01-00
Paragraph 6 a (new) 6a. Recalls that by failing to fully transpose the rights contained in Directive 95/46 (specifically at Article 14 and 15), the implementing decision, on its face, fails to adequately ensure that the European Union citizens rights under EU law are fully provided for where their data is transferred to the United States of America; 20 Sophia in t Veld Paragraph 6 a (new) 6a. Reiterates its call on the Commission to seek clarification on the legal status of the written assurances provided by the US and to ensure that any commitment or arrangement foreseen under the Privacy Shield are maintained following the taking up of office of a new administration in the United States; 21 Christine Revault D Allonnes Bonnefoy, Sylvie Guillaume Paragraph 6 a (new) PE597.621v01-00 12/37 AM\1115172.docx
6a. Calls on the Commission to monitor the American department s commitments carefully now that a new administration is on the point of taking office; Or. fr 22 Axel Voss, Michał Boni, Jeroen Lenaers, Monika Hohlmeier Paragraph 7 7. Considers that, despite the clarifications made by the U.S. administration by means of the letters attached to the Privacy Shield arrangement, important concerns remain as regards commercial aspects, national security and law enforcement; 7. Considers that, despite the commitments and assurances made by the U.S. government by means of the letters attached to the Privacy Shield arrangement, important questions remain as regards certain commercial aspects, national security and law enforcement; 23 Jan Philipp Albrecht Paragraph 7 a (new) 7a. Specifically notes the significant difference between the protection provided by Article 7 of Directive 95/46/EC and the notice and choice principle of the Privacy Shield arrangement, as well as the considerable differences between Article 6 of Directive 95/46/EC and the data integrity and purpose limitation principle of the Privacy Shield arrangement; points out AM\1115172.docx 13/37 PE597.621v01-00
that instead of the need for a legal basis (such as consent or contract) that applies to all processing operations, the data subject rights under the Privacy Shield Principles only apply to two narrow processing operations (disclosure and change of purpose) and only provide for a right to object ( opt-out ); 24 Beatrix von Storch Paragraph 7 a (new) 7a. Recalls that insofar as the implementing decision allows, or in the alternative fails and has failed to safeguard against indiscriminate access to electronic communications by foreign law enforcement authorities, and fails to provide an adequate remedy to EU citizens whose personal data is thus accessed, it denies the individual the right to an Effective Remedy and the right to Good Administration, contrary to the Charter of Fundamental Rights and the General Principles of EU Law; 25 Christine Revault D Allonnes Bonnefoy, Sylvie Guillaume Paragraph 7 a (new) 7a. Takes the view that these PE597.621v01-00 14/37 AM\1115172.docx
26 Axel Voss, Michał Boni, Jeroen Lenaers, Monika Hohlmeier Paragraph 8 numerous concerns could lead to a fresh challenge to the decision on the adequacy of the protection being brought before the courts in the future; emphasises the harmful consequences as regards both respect for fundamental rights and the necessary legal certainty for stakeholders; Or. fr 8. Notes, amongst, others the lack of specific rules on automated decisionmaking, on a general right to object, and the lack of clear principles on how the Privacy Shield Principles apply to processors (agents); 8. Notes that, although U.S. law offers specific protections against adverse decisions in areas where companies most likely resort to automated processing (e.g. employment, credit lending), no specific rules on automated decision-making are provided for in the Privacy Shield and therefore calls on the Commission to monitor the situation, including through the annual reviews; 27 Axel Voss, Jeroen Lenaers, Monika Hohlmeier Paragraph 8 a (new) 8a. Notes that, while individuals have the possibility to object vis-à-vis the EU controller to any transfer of their personal data to the U.S., and to the further processing of those data in the U.S. where the Privacy Shield company acts as a processor on behalf of the EU controller, AM\1115172.docx 15/37 PE597.621v01-00
the Privacy Shield lacks specific rules on a general right to object vis-à-vis the U.S. self-certified company; 28 Jan Philipp Albrecht Paragraph 8 a (new) 8a. Notes that only a fraction of the U.S. organisations that have joined Privacy Shield have chosen to use an EU data protection authority for the dispute resolution mechanism; is concerned that this constitutes a disadvantage for EU citizens when trying to enforce their rights; 29 Beatrix von Storch Paragraph 8 a (new) 8a. Recalls that the contested decision is incompatible with Articles 7 and 8 and Article 52(1) of the Charter of Fundamental Rights of the European Union; 30 PE597.621v01-00 16/37 AM\1115172.docx
Axel Voss, Jeroen Lenaers, Monika Hohlmeier Paragraph 8 b (new) 8b. Notes the lack of explicit principles on how the Privacy Shield Principles apply to processors (agents), while recognizing that all Principles apply to the processing of personal data by any U.S. self-certified company [u]nless otherwise stated and that the transfer for processing purposes always requires a contract with the EU controller which will determine the purposes and means of processing, including whether the processor is authorised to carry out onward transfers (e.g. for subprocessing); 31 Josef Weidenholzer Paragraph 9 9. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Director of National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains possible; 9. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Director of National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains possible; regrets the lack of a uniform definition of the concept of bulk surveillance and the adoption of the American terminology, and therefore calls for a uniform definition of bulk surveillance linked to the European understanding of the term, where AM\1115172.docx 17/37 PE597.621v01-00
evaluation is not made dependent on selection; stresses that any kind of mass surveillance is in breach of the EU Charter of Fundamental Rights; Or. de 32 Axel Voss, Jeroen Lenaers, Monika Hohlmeier Paragraph 9 9. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Director of National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains possible; 9. Stresses that, as regards national security and surveillance, notwithstanding the representations and assurances provided by the Director of National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains possible in exceptional cases and within limits in particular as regards the application of filters used to focus the collection on personal data responsive to specific foreign intelligence needs and to limit the collection of non-pertinent information (minimization); 33 Beatrix von Storch Paragraph 9 9. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Director of 9. Stresses that, as regards national security and surveillance, notwithstanding the clarifications brought by the Director of PE597.621v01-00 18/37 AM\1115172.docx
National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains possible; National Intelligence Office in the letters attached to the Privacy Shield framework, bulk surveillance, despite the different terminology used by the U.S. authorities, remains not only possible but likely, given U.S. intelligence services blatant disregard for privacy of not only foreign citizens but its own as revealed by the whistleblower, Edward Snowden; 34 Jan Philipp Albrecht Paragraph 9 a (new) 9a. Stresses that in in its judgment of 21 December 2016, the Court of Justice of the European Union clarified that the Charter of Fundamental Rights must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication ; points out that the bulk surveillance in the U.S. therefore does not provide for an essentially equivalent level of the protection of personal data and communications; 35 Sophia in t Veld Paragraph 9 a (new) AM\1115172.docx 19/37 PE597.621v01-00
9a. is alarmed by the recent revelations about surveillance activities conducted by Yahoo!! on all emails reaching its servers, upon request of the NSA and the FBI, as late as 2015, which is one year after Presidential Policy Directive 28 was adopted and during the negotiation of the EU-U.S. Privacy Shield; insists that the Commission seeks full clarification from the US authorities and makes the answers provided available to the Council, Parliament and national data protection authorities; 36 Jan Philipp Albrecht Paragraph 9 a (new) 9a. Is alarmed by the recent revelations about bulk surveillance done by Yahoo on all emails reaching its servers, on behalf of the NSA and the FBI, as late as 2015, which is two years after the revelations by Edward Snowden and one year after Presidential Policy Directive 28 was adopted; sees this as a reason to strongly doubt the assurances brought by the Director of National Intelligence Office; points out that the new U.S. President can unilaterally repeal or amend PPD-28; 37 PE597.621v01-00 20/37 AM\1115172.docx
Beatrix von Storch Paragraph 9 a (new) 9a. Recalls that by failing to fully transpose the provisions contained in Directive 95/46 (specifically Article 28(3)), the implementing decision, on its face, fails to adequately ensure that the European Union citizens rights under EU law are fully provided for where their data is transferred to the United States of America; 38 Cornelia Ernst Paragraph 9 a (new) 9a. deplores that the EU US Privacy Shield does not prohibit the collection of bulk data for law enforcement purposes; 39 Sophia in t Veld Paragraph 9 b (new) 9b. Expresses great concerns at the issuance of the Procedures for the Availability or Dissemination of Raw Signals Intelligence Information by the AM\1115172.docx 21/37 PE597.621v01-00
National Security Agency under Section 2.3 of Executive Order 12333, approved by the Attorney General on January 3, 2017, allowing National Security Agency to share vast amounts of private data gathered without warrant, court orders or congressional authorization with 16 other agencies, including the FBI, the Drug Enforcement Agency, and the Department of Homeland Security; calls on the Commission to immediately assess the compatibility of these new rules with the commitments made by the US authorities under the Privacy Shield, as well as its impact on the level of protection of personal data protection in the United States; 40 Jan Philipp Albrecht Paragraph 9 b (new) 9b. Is equally alarmed by the new Raw SIGINT Availability Procedures under Executive Order 12333 of 12 January 2017 1a, which give U.S. intelligence agencies much broader access to raw communications data collected by the NSA; points out that signals intelligence data collections under EO 12333 take place without warrants or court approval; 1a https://www.dni.gov/files/documents/icotr/ RawSIGINTGuidelines-as-approvedredacted.pdf PE597.621v01-00 22/37 AM\1115172.docx
41 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 10 10. Deplores that, neither the Privacy Shield Principles nor the letters of the U.S. administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to an U.S. organisation under the Privacy Shield Principles and further accessed and processed by U.S. public authorities for law enforcement and public interest purposes, as required by article 47 of the Charter; 10. Recalls its Resolution of 26 May 2016 welcoming the introduction of new redress mechanisms under the Privacy Shield, but also recognizes that questions remain as to whether the Privacy Shield Principles and the letters of the U.S. administration provide sufficient clarifications and assurances to demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to an U.S. organisation under the Privacy Shield Principles and further accessed and processed by U.S. public authorities for law enforcement and public interest purposes, as required by article 47 of the Charter; 42 Jan Philipp Albrecht Paragraph 10 10. Deplores that, neither the Privacy Shield Principles nor the letters of the U.S. administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to an U.S. organisation under the Privacy Shield Principles and 10. Deplores that, neither the Privacy Shield Principles nor the letters of the U.S. administration providing clarifications and assurances demonstrate the existence of effective judicial redress rights for individuals in the EU whose personal data are transferred to an U.S. organisation under the Privacy Shield Principles and AM\1115172.docx 23/37 PE597.621v01-00
further accessed and processed by U.S. public authorities for law enforcement and public interest purposes, as required by article 47 of the Charter; further accessed and processed by U.S. public authorities for law enforcement and public interest purposes, which were emphasized by the European Court of Justice in its judgment of 6 October 2015 as the essence of the fundamental right in article 47 of the Charter; 43 Sophia in t Veld Paragraph 10 a (new) 10a. Reminds that Annex VI (letter from Robert S. Litt, Office of the Director of National Intelligence (ODNI)) clarifies that under Presidential Policy Directive 28 (hereinafter PPD-28 ), bulk collection of personal data and communications of non-us persons is still permitted in six cases; points out that such bulk collection only has to be as tailored as feasible and reasonable, which does not meet the stricter criteria of necessity and proportionality as laid down in the Charter; 44 Beatrix von Storch Paragraph 10 a (new) 10a. Recalls that the provisions of the FISA s Act of 2008 constitute PE597.621v01-00 24/37 AM\1115172.docx
legislation permitting public authorities to have secret access on a generalised basis to the content of electronic communications and consequently are not concordant with Article 47 of the Charter Fundamental Rights of the European Union; 45 Sophia in t Veld Paragraph 11 11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals; 11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals; points out that to date the incoming US administration has not appointed a new Ombudsperson following the end of term of the Under Secretary for Economic Growth, Energy, and the Environment appointed to this role in July 2016; considers that in the absence of an appointed independent and sufficiently empowered Ombudsperson, the US assurances with regards to the provision of effective redress to EU individuals would be null and void; 46 Axel Voss, Jeroen Lenaers, Monika Hohlmeier Paragraph 11 AM\1115172.docx 25/37 PE597.621v01-00
11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals; 11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals, while recognizing that according to the representations and assurances provided by the U.S. government the Ombudsperson is independent from the U.S. intelligence services, free from any improper influence that could affect its function and moreover works together with other, independent oversight bodies with effective powers of supervision over the U.S. Intelligence Community; 47 Josef Weidenholzer Paragraph 11 11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals; 11. Recalls its Resolution of 26 May 2016 that the Ombudsperson mechanism set up by the U.S. Department of State is not sufficiently independent and is not vested with sufficient effective powers to carry on its duties and provide effective redress to EU individuals; is generally concerned that an individual affected by a breach of the rules can apply only for information and for the data to be deleted and/or for a stop to further processing, but has no right to compensation; Or. de PE597.621v01-00 26/37 AM\1115172.docx
48 Jan Philipp Albrecht Paragraph 11 a (new) 11a. Is in summary not convinced that the improvements made since its Resolution of 26 May 2016 will be sufficient to prevent the European Court of Justice from invalidating Commission Implementing Decision (EU)2016/1250 on the Privacy Shield; is therefore concerned that this will undermine the overall trust in Commission Implementing Decisions on adequacy and thereby damage the Commission s new strategy for exchanging and protecting data in a globalised world; 49 Beatrix von Storch Paragraph 11 a (new) 11a. Recalls that the provisions of the Foreign Intelligence Surveillance Act of 1978 s Act of 2008 ( FISA s Act of 2008 ) constitute legislation permitting pubic authorities to have access on a generalised basis to the content of electronic communications and consequently are not concordant with Article 7 of the Charter of Fundamental Rights of the European Union; AM\1115172.docx 27/37 PE597.621v01-00
50 Beatrix von Storch Paragraph 12 a (new) 12a. Recalls that the privacy principles and/or the official (US) representations and commitments contained in Annexes I, III to VII of the contested decision do not constitute international commitments within the meaning of Article 25(6) of Directive 95/46; 51 Axel Voss, Monika Hohlmeier, Jeroen Lenaers Paragraph 13 13. Regrets that the Commission followed the procedure for adoption of the Commission implementing decision in a practical manner that de facto has not enabled the Parliament to exercise its right of scrutiny on the draft implementing act in an effective manner; 13. Underlines that the Commission followed the adequate procedure for adoption of the Commission implementing decision and stress that the Parliament was informed on time in order exercise its right of scrutiny on the draft implementing act in an effective manner; 52 Beatrix von Storch Paragraph 13 b (new) PE597.621v01-00 28/37 AM\1115172.docx
13b. Recalls that the implementing decision is not in accordance with Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union; 53 Jan Philipp Albrecht Paragraph 14 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018; 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, which includes either a full revision, including substantive changes in U.S. laws and practices, or a repeal of Commission Implementing Decision (EU)2016/1250, by then; 54 Maria Grapini Paragraph 14 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018; 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, since it creates and AM\1115172.docx 29/37 PE597.621v01-00
reinforces obligations on controllers which extend beyond the principles developed in the Privacy Shield; Or. ro 55 Josef Weidenholzer Paragraph 14 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018; 14. Calls on the Commission to take all the necessary measures to ensure that the Privacy Shield will fully comply with Regulation (EU) 2016/679, to be applied as from 16 May 2018, and with the Charter of Fundamental Rights; Or. de 56 Cornelia Ernst Paragraph 14 a (new) 14a. calls on the Commission to ensure, in particular, that personal data that has been transferred to the US under the Privacy Shield can only be transferred to another third country if that transfer is compatible with the purpose for which the data was originally collected, and if the same rules of specific and targeted access for law enforcement apply in the third country; PE597.621v01-00 30/37 AM\1115172.docx
57 Beatrix von Storch Paragraph 14 a (new) 14a. Calls on the Commission to repeal the implementing decision declaring the adequacy of the EU-U.S. Privacy Shield and to refrain from adopting similar decisions; 58 Maria Grapini Paragraph 14 a (new) 14a. Takes the view that relevant amendments adapting to the entry into force of Regulation 2016/679 should be made in good time to ensure a sound legal framework in order to provide a boost to cross-border relations; Or. ro 59 Cornelia Ernst Paragraph 14 b (new) 14b. calls on the Commission to ensure that personal data that is no longer necessary for the purpose for which it had been originally collected, is deleted, including by law enforcement agencies; AM\1115172.docx 31/37 PE597.621v01-00
60 Cornelia Ernst Paragraph 14 c (new) 14c. calls on the Commission to closely monitor whether the Privacy Shield allows for the data protection authorities to fully exercise all their powers and if not, to identify the provisions that result in a hindrance to the DPA s exercise of powers; 61 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 15 15. Calls on the Commission to conduct, during the first join annual review, a thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution, in its Resolution of 26 May 2016 on Transatlantic data flows 12, and those identified by the Article 29 Working Party, the EDPS and the stakeholders, and to demonstrate how they have been addressed so as to ensure compliance with the Charter and Union law, and to evaluate meticulously if the mechanisms and safeguards indicated in the assurances and clarifications by the U.S. administration are effective and feasible; 15. Calls on the Commission to conduct, during the first join annual review, a thorough and in-depth examination of the adequacy finding and the legal justifications thereof, both with a view to ensuring that personal data are adequately protected and that is functioning efficiently without unnecessary impairment to the other fundamental rights, such as the right to privacy and security, the right to receive and impart information, and the right to conduct business, and to evaluate meticulously if the mechanisms and safeguards indicated in the assurances and clarifications by the U.S. administration are PE597.621v01-00 32/37 AM\1115172.docx
12 Text adopted, P8_TA-PROV(2016)0233. effective and feasible; 62 Beatrix von Storch Paragraph 15 a (new) 15a. Calls for each Member State that desires a data sharing agreement system to negotiate and create its own data protection systems in accordance with their respective national requirements, democratic principles and laws; 63 Jan Philipp Albrecht Paragraph 16 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have full and unrestricted access to all documents and premises necessary for the performance of their task and that their independence in the performance of their tasks is ensured; 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have full and unrestricted access to all documents and premises necessary for the performance of their task and that their independence in the performance of their tasks is ensured, including being entitled to issue dissident opinions in the final report of the joint review, which will be public and annexed to the joint report; AM\1115172.docx 33/37 PE597.621v01-00
64 Sophia in t Veld Paragraph 16 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have full and unrestricted access to all documents and premises necessary for the performance of their task and that their independence in the performance of their tasks is ensured; 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have full and unrestricted access to all documents and premises necessary for the performance of their task, including elements allowing a proper evaluation of the necessity and proportionality of the collection and access to data transferred by public authorities, either for law enforcement of national security purposes; 65 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 16 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have full and unrestricted access to all documents and premises necessary for the performance of their task and that their independence in the performance of their tasks is ensured; 16. Calls on the Commission to ensure that for the conducting of the joint annual review, all the members of the team shall have access to all documents in accordance with the existing rules on access to documents and premises necessary for the performance of their task and that their independence in the performance of their tasks is ensured; PE597.621v01-00 34/37 AM\1115172.docx
66 Beatrix von Storch Paragraph 16 a (new) 16a. Invites civil society within Member States to launch a European Citizens Initiative in accordance with Article 24(1) of the Treaty on the Functioning of the European Union, in the spirit of direct democracy, to raise awareness and create a dialogue with the peoples of the EU Member States on Privacy Shield so that any such agreement complies with the concerns raised by the peoples of the Member States; 67 Sophia in t Veld Paragraph 16 a (new) 16a. stresses that any member of the joint review team shall be ensured its independence in the performance of its tasks and shall be entitled to express its owns dissenting opinions in the final report of the joint review which will be public and annexed to the joint report; 68 Axel Voss, Monika Hohlmeier, Jeroen Lenaers AM\1115172.docx 35/37 PE597.621v01-00
Paragraph 17 17. Calls on the Union Data Protection Authorities to monitor the functioning of the EU-U.S. Privacy Shield and to exercise their powers, including the suspension or definitive ban of personal data transfers to an organisation in the EU-U.S. Privacy Shield if they consider that the fundamental rights to privacy and the protection of personal data of the Union s data subjects are not ensured; 17. Calls on the Union Data Protection Authorities to monitor the functioning of the EU-U.S. Privacy Shield and to exercise their powers; 69 Beatrix von Storch Paragraph 17 a (new) 17a. Recalls its follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens, paragraph 1a, and again urge Member States to drop any criminal charges against Edward Snowden, grant him protection and consequently prevent extradition or rendition by third parties, in recognition of his status as whistleblower and international human rights defender; 70 Beatrix von Storch PE597.621v01-00 36/37 AM\1115172.docx
Paragraph 17 b (new) 17b. Acknowledges the Snowden revelations, without which the Safe Harbour agreement would likely stand and therefore violate the rights of the peoples of the EU s Member States without their knowledge or consent 71 Axel Voss, Monika Hohlmeier, Jeroen Lenaers, Michał Boni Paragraph 18 18. Stresses that the European Parliament should have full access to any relevant document related to the joint annual review; 18. Stresses that the European Parliament should have access to documents related to the joint annual review, underlines that the access to this documents have to be in accordance with the existing rules on access to documents; AM\1115172.docx 37/37 PE597.621v01-00